Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1913+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-15265: Tenable Agent Path Traversal — Arbitrary File Write & RCE (CVSS 9.1)
CVE-2026-15265: Tenable Agent Path Traversal — Arbitrary File Write & RCE (CVSS 9.1)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-15265

CVE-2026-15265: Tenable Agent Path Traversal — Arbitrary File Write & RCE (CVSS 9.1)

A critical path traversal vulnerability in Tenable Agent 11.2.0 and 11.1.3 and earlier allows a privileged attacker to write arbitrary files outside the intended plugin directory, potentially achieving remote code execution.

Dylan H.

Security Team

July 15, 2026
6 min read

Affected Products

  • Tenable Agent 11.2.0
  • Tenable Agent 11.1.3 and earlier

Executive Summary

A critical path traversal vulnerability (CVE-2026-15265) has been identified in Tenable Agent, a widely deployed endpoint agent used by enterprises running the Tenable vulnerability management platform (Tenable.sc, Tenable.io, Tenable One). The flaw allows a privileged attacker to write arbitrary files to locations outside the intended plugin directory, with the potential to achieve remote code execution.

CVSS Score: 9.1 (Critical)

While the vulnerability requires elevated privileges to exploit, the potential to write arbitrary files to any path on the system — and the near-universal deployment of Tenable Agent in enterprise environments — makes this a critical remediation priority. Organizations should patch immediately.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-15265
CVSS Score9.1 (Critical)
TypePath Traversal / Arbitrary File Write
Attack VectorLocal / Network (privileged context)
Privileges RequiredPrivileged (elevated)
User InteractionNone
Confidentiality ImpactHigh
Integrity ImpactHigh
Availability ImpactHigh
Affected VersionsTenable Agent ≤ 11.1.3 and 11.2.0
Patch AvailableYes — upgrade to patched release

Affected Products

ProductAffected VersionsStatus
Tenable Agent11.2.0Patched in later release
Tenable Agent11.1.3 and earlierPatched in later release
Tenable.io managed agentsDepends on deployed versionApply update via console
Tenable.sc managed agentsDepends on deployed versionApply update via console

Technical Analysis

Root Cause

CVE-2026-15265 stems from insufficient path validation in the Tenable Agent's plugin management subsystem. When the agent processes plugin data, it does not adequately sanitize directory traversal sequences (e.g., ../, ..\) embedded in plugin paths or metadata. A privileged attacker — someone with the ability to interact with the agent's plugin interface or supply crafted plugin content — can exploit this to write files to arbitrary locations on the host filesystem.

The plugin directory is intended to be a controlled location where Tenable's vulnerability check content resides. Breaking out of this boundary enables an attacker to overwrite system binaries, configuration files, or drop payloads in startup/persistence locations.

Attack Flow

1. Attacker gains privileged access to a system running Tenable Agent
   (e.g., compromised admin account, lateral movement, insider threat)
2. Attacker crafts a malicious plugin package or payload with path traversal sequences
   in file paths (e.g., "../../../../etc/cron.d/backdoor" or "../../system32/malware.dll")
3. Attacker delivers the crafted payload to the Tenable Agent plugin processing path
4. Agent fails to validate/normalize the path — writes file to attacker-controlled location
5. File is written outside the plugin directory (arbitrary filesystem write)
6. Attacker uses the written file for persistence (cron job, startup item, DLL hijack)
7. Code execution achieved — persistence or privilege maintained

Why This Is Dangerous

Tenable Agent runs with elevated privileges on every managed endpoint — typically as a service account with broad system access. The agents are deployed on:

  • Domain controllers — highest-value targets in enterprise environments
  • Database servers — financial, healthcare, and PII data at risk
  • Critical infrastructure systems — OT/ICS environments using Tenable OT Security
  • Cloud workloads — AWS EC2, Azure VMs, GCP instances with agent-based scanning
  • Containerized environments — Kubernetes nodes and container hosts

Arbitrary file write on these systems with agent-level privileges provides multiple avenues for persistence and further compromise.


Impact Assessment

Impact AreaDescription
Remote Code ExecutionWrite to cron, startup, or service directories → persistent shell
Privilege EscalationOverwrite SUID binaries or sudo configuration on Linux/Unix
PersistencePlant backdoors in autorun locations, evade detection
Data IntegrityOverwrite critical system or application files
Supply Chain RiskTenable Agent deployed org-wide — single exploit path affects all managed endpoints
Lateral MovementWritten credentials or SSH keys enable pivoting to additional systems

Immediate Remediation

Step 1: Identify Affected Agent Versions

# Linux: Check Tenable Agent version
/opt/nessus_agent/sbin/nessuscli --version
 
# Windows: Check via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Nessus Agent*" } | Select-Object Name, Version
 
# Or check registry on Windows
Get-ItemProperty "HKLM:\SOFTWARE\Tenable\Nessus Agent" | Select-Object Version

Step 2: Update Tenable Agent

# Linux — update via package manager (RPM-based)
sudo yum update NessusAgent
 
# Linux — update via package manager (Debian-based)
sudo apt-get update && sudo apt-get upgrade nessusagent
 
# Or download the updated installer from:
# https://www.tenable.com/downloads/nessus-agents

Tenable.io / Tenable.sc users: Initiate a mass update of all agents from the management console:

Tenable.io → Settings → Agents → Select All → Update Agents
Tenable.sc → Scan → Agent Management → Update All

Step 3: Restrict Agent Privileges (Defense in Depth)

While patching, review and minimize the service account privileges used by the Tenable Agent:

# Linux: Verify Tenable Agent service user
ps aux | grep -i nessus
# The agent should run as a dedicated low-privilege user where possible
 
# Check agent service configuration
systemctl show nessusagent | grep User

Step 4: Monitor for Exploitation Indicators

# Linux: Watch for unusual file writes in agent plugin directory and parent paths
inotifywait -m -r /opt/nessus_agent/var/nessus/plugins/ -e create -e modify | \
  grep '\.\.'
 
# Check for recently modified files outside expected plugin paths
find /opt/nessus_agent/ -newer /opt/nessus_agent/var/nessus/plugins/ \
  -not -path "*/plugins/*" -type f 2>/dev/null

Detection Indicators

IndicatorDescription
Files written outside /opt/nessus_agent/var/nessus/plugins/Path traversal exploitation
New cron entries matching agent process parentPersistence via written cron job
Unexpected SUID binary modificationsPrivilege escalation attempt
Agent process writing to /etc/, /tmp/, or Windows system directoriesAnomalous file activity
Tenable Agent process spawning unexpected child processesPost-exploitation code execution

Post-Remediation Checklist

  1. Patch all Tenable Agent instances (11.1.3 and below, 11.2.0) to the latest version
  2. Audit recently modified files on systems running the vulnerable agent version — look for anomalous writes outside the plugin directory
  3. Review cron jobs, startup items, and scheduled tasks on affected hosts for unauthorized entries
  4. Rotate credentials on systems that ran the vulnerable agent if exploitation is suspected
  5. Check agent logs for unusual plugin processing activity
  6. Verify integrity of critical system binaries on high-value endpoints (domain controllers, database servers)
  7. Update your asset inventory to confirm all agent-managed endpoints have been patched

References

  • NVD — CVE-2026-15265
  • Tenable Downloads — Nessus Agents
  • Tenable Security Advisories
#CVE-2026-15265#Tenable#Tenable Agent#Path Traversal#Arbitrary File Write#RCE#Remote Code Execution#CVSS 9.1

Related Articles

CVE-2026-41228 — Froxlor Path Traversal via def_language

A critical path traversal vulnerability in Froxlor's Customers.update and Admins.update API endpoints allows authenticated low-privilege users to traverse...

5 min read

CVE-2026-6057: FalkorDB Browser Unauthenticated Path

FalkorDB Browser 1.9.3 contains a critical unauthenticated path traversal vulnerability in its file upload API that allows remote attackers to write...

6 min read

CVE-2026-59792: JetBrains IntelliJ IDEA Remote Code Execution via Path Traversal

A critical RCE vulnerability (CVSS 9.6) in JetBrains IntelliJ IDEA before 2026.1.4 allows code execution through path traversal in project workspace ID...

3 min read
Back to all Security Alerts